diff --git a/backend/app/main.py b/backend/app/main.py
index 9ff7c22..0f85f90 100644
--- a/backend/app/main.py
+++ b/backend/app/main.py
@@ -2,6 +2,9 @@ import os
 from contextlib import asynccontextmanager
 from urllib.parse import urlparse
 
+from dotenv import load_dotenv
+load_dotenv()
+
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
 
@@ -108,6 +111,14 @@ def _validate_runtime_secrets():
     broker_token_key = (os.getenv("BROKER_TOKEN_KEY") or "").strip()
     if not broker_token_key:
         raise RuntimeError("BROKER_TOKEN_KEY must be configured in production")
+    try:
+        from cryptography.fernet import Fernet
+        Fernet(broker_token_key.encode("utf-8"))
+    except Exception:
+        raise RuntimeError(
+            "BROKER_TOKEN_KEY is set but invalid — must be a 32-byte URL-safe base64 key. "
+            "Generate one with: python -c \"from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())\""
+        )
     if (os.getenv("ENABLE_SUPER_ADMIN_BOOTSTRAP") or "").strip() in {"1", "true", "yes"}:
         if not (os.getenv("SUPER_ADMIN_EMAIL") or "").strip():
             raise RuntimeError("SUPER_ADMIN_EMAIL must be configured when bootstrap is enabled")
diff --git a/backend/requirements.txt b/backend/requirements.txt
index c6aec86..ba5768c 100644
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@@ -36,6 +36,7 @@ pydantic==2.12.5
 pydantic_core==2.41.5
 pytest==8.3.5
 python-dateutil==2.9.0.post0
+python-dotenv==1.0.1
 pyotp==2.9.0
 pytz==2025.2
 requests==2.32.5